Authenticode and Strong naming ("signing")
It kills me that the names for these processes are "Code signing" and "Strong Name signing".
So this is the scenario. I'd like for my assembly to be strong named (able to be loaded into the GAC, and used in strong-named apps) and I'd like it to be code signed (verifiably from me, and verifiably changed or not).
Instead of writing you a walk-through, I'm going to post some links to important articles, then post the build script that allows me to go from a raw Assembly to an obfuscated, strong-named, code-signed assembly.
A tip to all the college hobbiest out there: Obtaining a code-signing certificate that allows you to publish code publicly costs ~ $500 from Verisign, $200 from Thawte, and ~179 from Comodo. Comodo has horrible customer service, so I went to Thawte (owned by Verisign) and never looked back. Thawte's been great.
In the meantime, or just for fun, you can create your own code-signing certificate and install the cert on your local machine for testing of code-signing (Authenticode) success.
Links
1. Best article, defining the two processes and what each does
http://www.robrich.org/archive/2006/11/29/Code-Signing-two-worlds-defined.aspx
2. .NET Security blog from Shawn, explaining the order or processes and why
http://blogs.msdn.com/shawnfa/archive/2007/01/10/combining-strong-names-with-authenticode.aspx
3. Explaining Strong Naming
http://msdn.microsoft.com/msdnmag/issues/06/07/CLRInsideOut/default.aspx
4. And on Strong Name integration with VS 2005
http://blogs.msdn.com/shawnfa/archive/2006/02/14/531921.aspx
Code (I renamed some of my files, and blanked my private key password, hope you don't mind)
:: Begin SignAssembly.bat
:: Obfuscate the library
:: In : Raw
:: Out: Obfuscated
"C:\Program Files\Wise Owl, Inc\Demeanor for .NET, Enterprise Edition\v4.0\Demeanor.exe" /application /encryptstrings /names:alpha /noenums /out:".\Obfuscated" ".\Raw\MyAssembly.dll"
:: Create the strong-named assembly
:: In : Obfuscated
:: Out: ObfuscatedAndStrongnamed
copy ".\Obfuscated\MyAssembly.dll" ".\ObfuscatedAndStrongnamed\MyAssembly.dll"
sn -Ra ".\ObfuscatedAndStrongnamed\MyAssembly.dll" BusinessCodeSigningKey.Single.PublicPrivate.pfx
:: Codesign the library
:: In : ObfuscatedAndStrongnamed
:: Out: ObfuscatedAndStrongnamedAndCodesigned
copy ".\ObfuscatedAndStrongnamed\MyAssembly.dll" ".\ObfuscatedAndStrongnamedAndCodesigned\MyAssembly.dll"
signtool sign /f BusinessCodeSigningKey.Single.PublicPrivate.pfx /p *********** /t http://timestamp.verisign.com/scripts/timstamp.dll /d "Description of the dll file" /du http://mywebsite.com ".\ObfuscatedAndStrongnamedAndCodesigned\MyAssembly.dll"
As always, comments or questions are welcome.